Nervous System

Id	Text	Action
1	Anatomy Terms of Service, Privacy Policy and DPA V6 Terms of Service Effective Date: [DATE] These Terms of Service (the “Terms”) govern access to and use of Anatomy, also referred to as L.B. Foster’s Anatomy Asset Management System or Anatomy Asset Intelligence, including the related platform, software, dashboards, APIs, agents, and related services (collectively, the “Service”). These Terms are entered into by and between L.B. Foster Company, a Pennsylvania corporation (“Company”), and the customer identified in an applicable Order Form, online registration, or other ordering document (“Customer”). By accessing or using the Service, clicking to accept these Terms, or executing an Order Form, Master Service Agreement, or other ordering document that references these Terms, Customer agrees to be bound by these Terms. If Customer and Company have executed a separate written Master Service Agreement or other negotiated agreement governing Customer’s use of the Service (an “MSA”), the MSA will control over these Terms solely to the extent of any conflict or inconsistency. In the absence of an applicable MSA, these Terms govern Customer’s access to and use of the Service. 1. Definitions and Interpretive Rules 1.1 “Aggregated Data” means data that has been combined or summarized with other data so that it does not identify, and cannot reasonably be used to identify, Customer, an Authorized User, any individual, or any specific Customer asset, system, account, or environment. 1.2 “Authorized User” means an employee, contractor, or other individual authorized by Customer to access and use the Service on Customer’s behalf. 1.3 “Customer Data” means telemetry, sensor data, operational data, asset data, device status information, configuration state, event data, diagnostic data, performance data, location data where enabled, command history, and other data transmitted by, collected from, or generated by Customer’s connected assets, endpoints, equipment, or related systems through the Service. Customer Data may include Personal Data. To the extent Customer Data includes or constitutes Personal Data, Company will process such Personal Data in accordance with the Privacy Policy, the DPA, and applicable law. 1.4 “Customer Environment” means Customer’s assets, devices, endpoints, equipment, systems, networks, accounts, credentials, software, data, infrastructure, facilities, and operating environments monitored, administered, accessed, controlled, or managed through the Service. 1.5 “De-identified Data” means data that Company has processed so that it cannot reasonably be used to identify Customer, an Authorized User, any individual, or any specific Customer asset, system, account, or environment, taking into account the data itself and other information reasonably available to Company. 1.6 “Derived Data” means data, analyses, models, metrics, scores, trends, insights, benchmarks, predictions, alerts, recommendations, Aggregated Data, De-identified Data, and other information or outputs generated by or through the Service from Customer Data, Usage Data, or both. Derived Data excludes Customer Data itself and any data that merely reproduces Customer Data in substantially untransformed form. 1.7 “Documentation” means Company’s user guides, technical documentation, and usage instructions for the Service made available to Customer. 1.8 “DPA” means Company’s Data Processing Agreement applicable to Personal Data processed by Company on behalf of Customer in connection with the Service. 1.9 “MSA” means a separate written master services agreement or other negotiated agreement executed by authorized representatives of Company and Customer governing Customer’s access to or use of the Service. 1.10 “Order Form” means an order form, statement of work, online sign-up flow, purchase document, or other ordering document specifying the Service purchased by Customer. 1.11 “Online Terms” means these Terms as presented through Company’s website, application, registration flow, or similar clickwrap, browsewrap, or electronic acceptance mechanism. 1.12 “Permitted AI/ML Uses” means the development, training, retraining, tuning, testing, validation, operation, and improvement of machine learning and artificial intelligence models, features, automations, analytics, and related systems using Aggregated Data, De-identified Data, Derived Data, Usage Data, or Customer Data for which Customer has provided any opt-in required under Section 6.4(b), in each case subject to these Terms, the Privacy Policy, the DPA, applicable law, and any applicable customer opt-in or opt-out rights. 1.13 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual, or that is otherwise regulated as personal data, personal information, personally identifiable information, or a similar term under applicable privacy or data protection law. 1.14 “Remote Actions” means commands, policies, configurations, automations, remediations, patches, shutdowns, restarts, locks, wipes, settings changes, escalations, and other monitoring, administration, management, remediation, or control actions initiated, configured, approved, requested, or performed through the Service. 1.15 “Usage Data” means data regarding the performance, operation, security, support, administration, and use of the Service, including analytics, metadata, logs, telemetry, audit trails, command histories, configuration records, user activity records, and similar operational or technical data. 1.16 Data Classification. The data categories in these Terms are not mutually exclusive. Customer Data, Usage Data, Derived Data, and other Service-related data may include or constitute Personal Data to the extent such data identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual. A data element’s classification as Customer Data, Usage Data, or Derived Data does not limit any privacy, data protection, confidentiality, or security obligations applicable to Personal Data. 1.17 De-identification Controls. Company will process De-identified Data using contractual and technical controls designed to prohibit re-identification and will not attempt to re-identify De-identified Data except as permitted by applicable law and the Agreement. 2. Access and License 2.1 Provision of Service. Subject to these Terms and payment of applicable fees, Company grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the applicable subscription term to access and use the Service solely for Customer’s internal business purposes. 2.2 Authorized Users. Customer may permit Authorized Users to use the Service only on Customer’s behalf and subject to these Terms. Customer is responsible for all acts and omissions of its Authorized Users. 2.3 Restrictions. Customer will not, and will not permit any third party to: (a) copy, modify, or create derivative works of the Service except as expressly permitted; (b) reverse engineer, decompile, disassemble, or otherwise attempt to derive source code, underlying ideas, or algorithms of the Service, except to the limited extent prohibited by law; (c) sell, resell, lease, sublicense, distribute, or otherwise make the Service available to third parties except as expressly authorized; (d) access or use the Service to build a competing product or service; (e) bypass or breach any security device or protection used by the Service; (f) use the Service in violation of applicable law; or (g) upload, transmit, or process through the Service any malicious code. 3. Customer Responsibilities 3.1 Customer Environment. Unless otherwise expressly agreed in an MSA, statement of work, or other separate written services agreement executed by the parties, Customer is solely responsible for: (a) the legality, accuracy, quality, and integrity of Customer Data; (b) obtaining and maintaining the Customer Environment and all access, credentials, consents, notices, permissions, approvals, and connectivity necessary to use the Service; and (c) the operation, maintenance, condition, and security of the Customer Environment. To the extent a written agreement expressly assigns any of these responsibilities to Company, Company will be responsible only for the obligations expressly assumed in that agreement. 3.2 Remote Actions. Customer acknowledges that Remote Actions may materially affect the Customer Environment and may be disruptive, destructive, irreversible, or require restoration or reconfiguration efforts. Unless otherwise expressly agreed in an MSA, statement of work, or other separate written services agreement executed by the parties, Customer is solely responsible for determining whether any Remote Action is appropriate for its Customer Environment. 3.3 Required Authorizations and Notices. Customer is solely responsible for obtaining, maintaining, and documenting all authorizations, approvals, consents, and notices necessary for use of the Service, including any legally required employee, contractor, end-user, or third-party notices or consents. 3.4 Prohibited Use. Customer will not use the Service for unlawful surveillance, unauthorized access, stalking, harassment, interception, or any activity that violates privacy, employment, consumer protection, wiretap, computer crime, or cybersecurity laws. 4. Managed Service 4.1 Engagement and Scope. If expressly set forth in an applicable MSA, statement of work, Order Form, runbook, playbook, support process, or other written service description agreed by the parties, Company may provide managed, monitoring, administration, remediation, or other operational services through the Service on Customer’s behalf (“Managed Service”). Company will have no obligation to perform Managed Service except as expressly set forth in such documentation. 4.2 Authority and Cooperation. Customer authorizes Company personnel and Company-authorized contractors to access and operate the Service, Customer assets, and connected environments solely as reasonably necessary to perform the Managed Service within the agreed scope. Customer will timely provide all access, credentials, approvals, asset inventories, technical contacts, maintenance windows, dependencies, notices, and other cooperation reasonably necessary for Company to perform the Managed Service. 4.3 Performance Standard and Limitations. Unless otherwise expressly stated in an applicable MSA, statement of work, or other separate written services agreement, Company will perform Managed Service in a professional and workmanlike manner consistent with ordinary industry practice. Customer acknowledges that Managed Service may involve judgment calls, incomplete information, time-sensitive decisions, third-party dependencies, and operational constraints. Company does not guarantee that Managed Service will prevent all outages, incidents, losses, vulnerabilities, or adverse operational outcomes. 4.4 No Implied Obligations. Managed Service does not create any fiduciary duty, outsourced operator status, or general duty to monitor, escalate, prevent, or remediate all events, incidents, vulnerabilities, or asset conditions unless expressly stated in the applicable written agreement. 4.5 Suspension or Refusal. Company may suspend, refuse, or delay any requested Managed Service activity if Company reasonably believes the activity: (a) is unauthorized; (b) may violate applicable law; (c) poses a material security, safety, operational, or third-party risk; or (d) falls outside the agreed Managed Service scope. 4.6 Records. Company may maintain logs, audit trails, tickets, approvals, command histories, and related records concerning Managed Service activities for service delivery, security, compliance, support, dispute resolution, and business recordkeeping purposes, subject to the Agreement, the Privacy Policy, and any applicable DPA. 5. Fees and Payment 5.1 Fees. Customer will pay all fees set forth in the applicable Order Form or MSA. 6. Customer Data, Usage Data, Derived Data, and AI/ML 6.1 Customer Data Ownership. As between the parties, Customer retains all right, title, and interest in and to Customer Data. 6.2 Service Delivery License. Customer grants Company a non-exclusive right to host, copy, transmit, display, modify, analyze, transform, structure, label, annotate, tokenize, extract features from, and otherwise process Customer Data as necessary to: (a) provide, secure, maintain, support, and improve the Service; (b) perform Customer-authorized Remote Actions; (c) perform obligations under the Agreement; and (d) exercise rights expressly permitted under the Agreement. To the extent Customer Data includes or constitutes Personal Data, Company will process such Personal Data in accordance with the Privacy Policy, the DPA, and applicable law. 6.3 Usage Data and Derived Data. Company may collect, generate, retain, use, disclose, and otherwise process Usage Data and Derived Data for lawful business purposes, including service delivery, account administration, authentication, analytics, optimization, support, security, fraud prevention, incident investigation, audit, compliance, product development, product improvement, benchmarking, reporting, billing verification, and enforcement of the Agreement. As between the parties, Company retains all right, title, and interest in and to Usage Data, Derived Data, and related intellectual property rights, subject to Customer’s ownership of Customer Data and Company’s obligations under the Agreement, the Privacy Policy, the DPA, and applicable law. 6.4 AI/ML Use Rights and Restrictions. Company may conduct Permitted AI/ML Uses for lawful internal business purposes, subject to the following limitations: (a) Permitted Data. Company may use Aggregated Data, De-identified Data, Derived Data, Usage Data, and Customer Data for which Customer has provided the opt-in required under Section 6.4(b), in each case for Permitted AI/ML Uses and subject to Sections 6.4(c) and 6.5. (b) Customer Data Opt-In. Company will not use Customer Data that has not been Aggregated and De-identified for Permitted AI/ML Uses unless Customer expressly opts in through an Order Form, the Service’s administrative console, or another written agreement between the parties. (c) Personal Data Restriction. Company will not use Personal Data for Permitted AI/ML Uses unless otherwise expressly agreed in writing by the parties and permitted by applicable law. This restriction does not limit Company’s processing of Personal Data as necessary to provide customer-specific Service functionality in accordance with the Agreement, the Privacy Policy, the DPA, and applicable law. (d) Third-Party Model Providers. Company will not disclose Customer Data to third-party model providers for Permitted AI/ML Uses unless otherwise expressly agreed in writing by Customer. (e) Prospective Withdrawal. Customer may withdraw or modify an opt-in by written notice or through available administrative console controls. Any withdrawal or modification applies prospectively only and does not require Company to delete, retrain, roll back, modify, or cease use of models, systems, features, automations, analytics, outputs, learnings, or derived outputs developed or improved before the effective date of the withdrawal or modification. (f) Customer-Specific Service Use. No opt-in withdrawal or modification limits Company’s ability to use data as necessary to provide, secure, maintain, support, comply with law, or improve the Service on a customer-specific basis. 6.5 Personal Data Limitations. Company’s ownership of Usage Data and Derived Data, and Company’s rights to conduct Permitted AI/ML Uses, do not limit any privacy, data protection, confidentiality, or security obligations applicable to Personal Data contained in such data. To the extent Usage Data, Derived Data, or Customer Data constitutes Personal Data, Company will process it in accordance with the Privacy Policy, the DPA, and applicable law. 6.6 Customer-Facing Outputs. To the extent the Service provides Customer with access to reports, analytics, alerts, recommendations, dashboards, benchmarks, scores, or other outputs generated for Customer through the Service, Customer may use those outputs for its internal business purposes during the applicable subscription term, subject to the Agreement. Nothing in the Agreement transfers to Customer any ownership interest in the Service, Usage Data, Derived Data, or Company’s underlying models, methods, analytics, or intellectual property. 7. Privacy and Security 7.1 Privacy Policy. Company’s collection and use of Personal Data is described in the Privacy Policy available at [URL]. 7.2 Data Processing Agreement. If Company processes Personal Data on behalf of Customer as a service provider or processor, Company’s then-current online DPA available at [URL] is incorporated into these Terms by reference and applies automatically, unless the parties have executed a separate DPA. Conflict and order-of-precedence rules are set forth in Section 18. 7.3 Security Measures. Company will maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Customer Data against unauthorized access, use, alteration, or disclosure. 8. Confidentiality 8.1 Definition. “Confidential Information” means non-public information disclosed by one party (“Discloser”) to the other (“Recipient”) that is designated as confidential or that reasonably should be understood to be confidential, including business plans, product information, security information, technical data, pricing, and Customer Data. 8.2 Obligations. Recipient will: (a) use Confidential Information only to perform or exercise rights under these Terms; and (b) protect Confidential Information using at least reasonable care, and no less than the care it uses to protect its own similarly sensitive information. Recipient’s use of Confidential Information as expressly permitted under Sections 6.2 through 6.4, and in accordance with the Agreement, Privacy Policy, DPA, and applicable law, will not be deemed a breach of this Section 8. 8.3 Exclusions. Confidential Information does not include information that: (a) is or becomes public through no fault of Recipient; (b) was lawfully known to Recipient without restriction before disclosure; (c) is lawfully received from a third party without restriction; or (d) is independently developed without use of the Discloser’s Confidential Information. 8.4 Required Disclosure. Recipient may disclose Confidential Information to the extent required by law, subpoena, or court order, provided Recipient gives prompt notice where legally permitted and reasonably cooperates with efforts to seek protective treatment. 9. Intellectual Property 9.1 Company IP. Company and its licensors retain all right, title, and interest in and to the Service, platform, software, APIs, dashboards, Documentation, Usage Data, Derived Data, and all related intellectual property rights. Company and its licensors also retain all right, title, and interest in and to analytics methods, models, machine learning and artificial intelligence systems, algorithms, workflows, automations, improvements, enhancements, modifications, derivative works, generic know-how, techniques, methods, processes, and related intellectual property rights. 9.2 Feedback. If Customer provides suggestions, enhancement requests, recommendations, or other feedback regarding the Service, Company may use such feedback without restriction or obligation. 10. Third-Party Services The Service may interoperate with third-party services, devices, software, or APIs. Company is not responsible for the availability, operation, security, or performance of third-party offerings, and Customer’s use of such offerings is governed by the applicable third-party terms. 11. Warranties; Disclaimers 11.1 Mutual Authority. Each party represents that it has the full power and authority to enter into these Terms. 11.2 Service Warranty. Company warrants that the Service will perform in all material respects in accordance with the Documentation under normal authorized use. 11.3 Exclusive Remedy for Warranty Breach. Company’s sole obligation, and Customer’s exclusive remedy, for any breach of warranty under these Terms is for Company to use commercially reasonable efforts to correct the nonconformity, provide a workaround, or terminate the affected Service and refund any unused prepaid fees for the affected Service. 11.4 Remote Action Limitation. Except to the extent expressly set forth in an applicable MSA, statement of work, or other separate written services agreement, Company does not warrant that any Remote Action will be successful, timely, non-disruptive, reversible, free from unintended effects, appropriate for Customer’s specific environment, or capable of achieving Customer’s intended operational result. 11.5 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS, THE SERVICE, DOCUMENTATION, AND ALL RELATED COMPONENTS ARE PROVIDED “AS IS” AND “AS AVAILABLE.” COMPANY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. COMPANY DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE, OR THAT USE OF THE SERVICE WILL PREVENT LOSS, DAMAGE, MISCONFIGURATION, INTERRUPTION, DEGRADATION, OR INCIDENTS AFFECTING CUSTOMER’S ASSETS, SYSTEMS, DATA, OR OPERATIONS. 12. Indemnification 12.1 By Company. Company will defend Customer against any third-party claim alleging that the Service, when used as authorized under these Terms, infringes a US patent, copyright, or trade secret, and will pay damages finally awarded or amounts agreed in settlement, provided Customer promptly notifies Company, permits Company to control the defense and settlement, and reasonably cooperates. 12.2 Exclusions. Company has no obligation under Section 12.1 to the extent a claim arises from: (a) Customer Data; (b) combinations with items not supplied by Company; (c) modifications not made by Company; (d) use contrary to the Documentation or these Terms; or (e) continued use after Company has provided a non-infringing alternative. 12.3 Remedies. If the Service becomes, or in Company’s opinion is likely to become, subject to an infringement claim, Company may: (a) procure for Customer the right to continue using the Service; (b) modify or replace the Service with a functionally equivalent non-infringing alternative; or (c) terminate the affected Service and refund prepaid fees for the terminated portion of the unused subscription term. This Section states Company’s sole and exclusive liability, and Customer’s exclusive remedy, for intellectual property infringement claims. 12.4 By Customer. Customer will defend, indemnify, and hold harmless Company and its affiliates from and against any third-party claims, damages, liabilities, costs, and expenses arising out of or related to: (a) Customer Data, including Customer’s inclusion of Personal Data in Customer Data unless otherwise expressly agreed in writing by the parties; (b) Customer’s or its Authorized Users’ use of the Service in violation of these Terms or applicable law; (c) the Customer Environment or any Remote Action initiated, configured, approved, requested, or performed by or for Customer through the Service; (d) Customer’s failure to obtain required rights, permissions, notices, consents, or authorizations, including under Section 3.3; or (e) Customer’s failure to obtain rights, permissions, notices, consents, or authorizations necessary for Company’s use of Customer Data as permitted under Section 6.4. This Section 12.4 does not apply to the extent a claim arises directly from obligations expressly assumed by Company in an applicable MSA, statement of work, or other separate written services agreement. 13. Limitation of Liability 13.1 Exclusion of Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, GOODWILL, DATA, BUSINESS INTERRUPTION, SUBSTITUTE SERVICES, RESTORATION COSTS, OR LOSS, INTERRUPTION, OR CORRUPTION OF DATA, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SECTION 13.1 DOES NOT LIMIT ANY EXPRESS REMEDY, SUPER-CAP, OR EXCEPTION SET FORTH IN THIS SECTION 13. 13.2 General Liability Cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EXCEPT AS PROVIDED IN SECTIONS 13.3 AND 13.4, EACH PARTY’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THE AGREEMENT WILL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO COMPANY FOR THE AFFECTED SERVICE UNDER THE ORDER FORM GIVING RISE TO THE CLAIM DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. IF A CLAIM DOES NOT ARISE FROM A SPECIFIC ORDER FORM, THE CAP WILL BE CALCULATED BASED ON THE FEES PAID OR PAYABLE FOR THE AFFECTED SERVICE DURING THAT TWELVE (12) MONTH PERIOD. IF CUSTOMER ACCESSES THE SERVICE ON A FREE, TRIAL, BETA, EVALUATION, OR OTHER NO-FEE BASIS, COMPANY’S TOTAL AGGREGATE LIABILITY WILL NOT EXCEED ONE HUNDRED DOLLARS ($100). 13.3 Super-Cap for Security, Privacy, Confidentiality, and DPA Claims. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO: (A) A BREACH OF CONFIDENTIALITY OBLIGATIONS; (B) A BREACH OF SECTION 7.3; (C) A SECURITY INCIDENT; (D) A VIOLATION OF THE DPA; OR (E) A PRIVACY OR DATA PROTECTION CLAIM RELATING TO PERSONAL DATA, WILL NOT EXCEED TWO (2) TIMES THE AMOUNT CALCULATED UNDER SECTION 13.2. THIS SECTION 13.3 DOES NOT LIMIT CUSTOMER’S OBLIGATIONS UNDER SECTION 12.4 OR CUSTOMER’S VIOLATION OF COMPANY’S INTELLECTUAL PROPERTY RIGHTS. 13.4 Uncapped Claims. The limitations in Sections 13.2 and 13.3 do not apply to: (a) Customer’s payment obligations; (b) Customer’s violation of Company’s intellectual property rights; (c) Customer’s indemnification obligations under Section 12.4; (d) fraud, willful misconduct, or intentional misconduct; or (e) liability that cannot be limited under applicable law. Company’s indemnification obligations under Section 12.1 remain subject to Section 13.2 unless the applicable MSA or Order Form expressly states otherwise. 13.5 Remote Actions, Managed Service, and Operational Claims. The exclusions and limitations in this Section 13 apply to all claims arising out of or relating to Remote Actions, Managed Service activities, Customer Environment impacts, asset downtime, operational interruption, configuration changes, remediation costs, restoration costs, loss of data, corruption of data, or business interruption, except to the extent liability cannot be limited under applicable law or Company has expressly assumed a different liability standard in an applicable MSA, statement of work, Order Form, or other separate written agreement executed by the parties. 13.6 Allocation of Risk. The parties acknowledge that the fees and other economic terms of the Agreement reflect the allocation of risk set forth in this Section 13 and that the limitations in this Section 13 apply regardless of the form of action, whether in contract, tort, negligence, strict liability, statute, or otherwise. 14. Term and Termination 14.1 Term. These Terms begin on the Effective Date and continue until all Order Forms have expired or been terminated. 14.2 Termination for Cause. Either party may terminate these Terms or an Order Form upon written notice if the other party materially breaches these Terms and does not cure the breach within thirty (30) days after receiving notice. 14.3 Suspension. Company may suspend access to the Service immediately if Customer’s use of the Service poses a security risk, may harm the Service or others, or violates applicable law or these Terms. 14.4 Effect of Termination. Upon expiration or termination of the Agreement, Customer’s rights to access and use the Service will cease. 14.5 Customer Data Deletion. Following expiration or termination of the Agreement, Company will delete Customer Data within ninety (90) days after receiving Customer’s written deletion request, unless retention is required by applicable law or reasonably necessary for backup, archival, security, legal, compliance, or dispute-resolution purposes. 14.6 Retained Records. Company may retain and continue to use Usage Data and Derived Data after expiration or termination for lawful business purposes in accordance with the Agreement, the Privacy Policy, the DPA, and applicable law. 14.7 Model and Output Carveout. Deletion of Customer Data will not require Company to delete, retrain, roll back, modify, or cease use of models, systems, features, automations, analytics, outputs, learnings, Derived Data, Usage Data, model parameters, weights, or other outputs created, trained, retrained, tuned, tested, validated, operated, or improved before deletion, except to the extent required by applicable law or expressly agreed in writing. 15. Acceptable Use Customer will not, and will not permit any Authorized User or third party to, use the Service to: (a) gain unauthorized access to any person’s device, account, network, or environment; (b) monitor individuals or devices without proper authorization or required notice and consent; (c) violate any employment, privacy, data protection, export control, sanctions, or cybersecurity law; (d) introduce malware, ransomware, spyware, or other harmful code; (e) interfere with or disrupt the integrity or performance of the Service; or (f) test, scan, or probe systems without authorization. 16. Publicity Company may identify Customer by name and logo as a customer of the Service in Company’s customer lists and marketing materials, unless Customer opts out in writing. 17. Governing Law; Dispute Resolution These Terms are governed by the laws of the Commonwealth of Pennsylvania, United States of America, without regard to conflict-of-laws rules. The state and federal courts located in the Commonwealth of Pennsylvania will have exclusive jurisdiction over any dispute arising out of or relating to these Terms, and each party consents to such jurisdiction and venue. 18. Contract Structure and Order of Precedence 18.1 Online Terms. These Terms may be accepted by electronic assent, including click-through or similar online acceptance methods, and are intended to govern self-serve, website-based, trial, and other non-negotiated access to the Service. 18.2 Negotiated Agreements. If the parties enter into an MSA, the MSA together with any associated Order Form will govern the purchased Service covered by that MSA. 18.3 Supersession. An MSA supersedes these Online Terms solely with respect to the subject matter addressed in the MSA and solely to the extent of any inconsistency or conflict. Except as expressly modified or superseded by an MSA, these Terms remain applicable. 18.4 Order of Precedence. Unless the applicable MSA expressly states otherwise, the order of precedence is: (a) the MSA; (b) the applicable Order Form; (c) the DPA, whether incorporated online or separately executed; (d) these Terms; and (e) the Privacy Policy. Notwithstanding the foregoing, the DPA controls with respect to processing of Personal Data except to the extent an executed MSA expressly states otherwise. 19. Miscellaneous 19.1 Entire Agreement. Unless an MSA applies, these Terms, together with each applicable Order Form, the Privacy Policy, and any incorporated DPA, constitute the entire agreement between the parties regarding the Service and supersede all prior or contemporaneous agreements on the same subject matter. If an MSA applies, then the MSA and its associated documents constitute the governing agreement as provided in Section 18. 19.2 Additional Terms. Customer purchase orders, procurement terms, vendor onboarding terms, portal terms, or other customer-provided terms will have no force or effect unless expressly agreed in writing by Company. 19.3 Assignment. Neither party may assign these Terms without the other party’s prior written consent, except to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets. 19.4 Force Majeure. Neither party will be liable for delay or failure to perform due to causes beyond its reasonable control, excluding payment obligations. 19.5 Notices. Legal notices must be sent to the addresses set forth in the applicable Order Form or to such other address as a party may designate in writing. 19.6 English Language. Any translation of these Terms or any other part of the Agreement into a language other than English is provided for convenience only. In the event of any conflict, inconsistency, or discrepancy between the English-language version and any translated version, the English-language version will control. 19.7 Amendment. Company may update these Terms from time to time. Unless an MSA applies or otherwise stated in an Order Form, updates to these Terms will become effective upon posting or as otherwise communicated to Customer. Continued use of the Service after the effective date of an update constitutes acceptance of the updated Terms. No amendment to an MSA will be effective unless made in accordance with the amendment provisions of that MSA. Privacy Policy Effective Date: [DATE] L.B. Foster Company (“Company,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy describes how we collect, use, disclose, and otherwise process Personal Data in connection with Anatomy, also referred to as L.B. Foster’s Anatomy Asset Management System or Anatomy Asset Intelligence, including the related websites, applications, dashboards, APIs, software, and related services (collectively, the “Service”). This Privacy Policy applies to Personal Data we collect as a business in our own right. If we process Personal Data on behalf of a business customer in providing the Service, that processing is governed by our contract with that customer, including any applicable Data Processing Agreement. 1. Relationship to Customer Data Customer Data is defined in the applicable customer agreement and generally means connected asset, endpoint, equipment, device, telemetry, configuration, diagnostic, performance, location where enabled, command history, and related operational data processed through the Service. Customer Data may include or constitute Personal Data depending on the nature of the data and the context in which it is processed. To the extent Customer Data, Usage Data, Derived Data, operational records, or other service-related data includes or constitutes Personal Data, we process that Personal Data in accordance with this Privacy Policy, applicable contractual terms, any applicable Data Processing Agreement, and applicable law. Where we process Personal Data on behalf of a business customer as a processor, service provider, or similar role, that processing is governed by our contract with that customer, including any applicable Data Processing Agreement. Where we process Personal Data for our own business purposes as a business, controller, or similar role, that processing is governed by this Privacy Policy and applicable law. 2. Personal Data We Collect We may collect the following categories of Personal Data: 2.1 Contact and Account Information. Name, business email address, phone number, company name, job title, account credentials, and account preferences. 2.2 Device, Network, Usage, Asset, and Environment Information. IP address, device identifiers, browser type, operating system, logs, session activity, clickstream data, authentication events, audit records, user activity records, device status, configuration state, network identifiers, location data where enabled, operational telemetry, event data, diagnostic data, performance data, asset health information, and records of remote commands or control actions, in each case to the extent associated with or reasonably linkable to an individual. 2.3 Communications Information. Information contained in support requests, chat messages, emails, calls, surveys, or other communications with us. 2.4 Payment and Transaction Information. Billing contact details, invoicing records, purchase records, tax-related records, remittance information, and other transaction or account administration information related to the Service. 2.5 Cookies and Similar Technologies. Information collected through cookies, SDKs, tags, pixels, and similar technologies, subject to applicable consent requirements. 2.6 Derived Data and Inferences. Analyses, metrics, scores, trends, insights, alerts, recommendations, and other information generated from Personal Data or service usage information, to the extent such information constitutes Personal Data under applicable law. 3. Sources of Personal Data We collect Personal Data from: • users and customers; • devices, browsers, and the Service; • customer administrators and account owners; • service providers, vendors, and integration partners; • publicly available sources; and • marketing, referral, and analytics partners. 4. How We Use Personal Data We may use Personal Data to: • provide, operate, maintain, secure, support, remotely administer, audit, and improve the Service; • authenticate users and manage accounts; • process transactions and send service-related communications; • provide customer support and respond to inquiries; • monitor performance, verify commands and control actions, debug errors, investigate incidents, prevent fraud, enforce access controls, maintain audit trails, and protect security; • analyze usage trends, asset and device activity, command execution patterns, service performance, and user experience; • develop and improve analytics, automation, AI, and machine learning features as described in Section 7; • comply with legal obligations and enforce our contracts; and • market our products and services where permitted by law. 5. How We Disclose Personal Data We may disclose Personal Data to: 5.1 Service Providers. Vendors that provide hosting, infrastructure, analytics, communications, support, security, invoicing, collections, and related business services. 5.2 Affiliates and Corporate Transactions. Our affiliates and counterparties involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets. 5.3 Integrations and Customer-Directed Disclosures. Third parties where a customer or user directs us to enable an integration, connection, or disclosure. 5.4 Legal and Safety Disclosures. Government authorities, regulators, law enforcement, courts, and other parties where required by law or reasonably necessary to protect rights, safety, and security. 5.5 Professional Advisors. Lawyers, auditors, insurers, and similar advisors under appropriate confidentiality obligations. We do not sell Personal Data or share Personal Data for cross-context behavioral advertising except as described in an applicable supplemental notice, if any. 6. Cookies and Similar Technologies We and our partners may use cookies and similar technologies to remember preferences, analyze usage, secure the Service, and support communications and marketing. Where required by law, we will obtain consent before using non-essential cookies. 7. Operational Records, Derived Data, and AI/ML Development We may maintain logs, telemetry, audit trails, authentication records, support records, configuration records, and records of remote commands, control actions, settings changes, and related service events for service operation, security, support, compliance, billing verification, dispute resolution, analytics, benchmarking, and improvement. To the extent the Service includes analytics, automation, anomaly detection, recommendations, alerts, classifications, predictions, or other AI/ML-enabled functionality, we may process Personal Data, Customer Data, Usage Data, Derived Data, and related service data as necessary to provide, operate, secure, maintain, support, and generate outputs from that functionality for the applicable customer in accordance with the applicable customer agreement, any applicable Data Processing Agreement, and applicable law. This customer-specific operation of Service functionality does not, by itself, authorize us to use Personal Data for AI/ML training, model development, model retraining, tuning, testing, validation, or improvement. We may use Aggregated Data, De-identified Data, Derived Data, Usage Data, and Customer Data for which the applicable customer has provided any required opt-in to develop, train, retrain, tune, test, validate, and improve analytics, automation, AI, and machine learning models, features, systems, and related functionality, subject to the applicable customer agreement and applicable law. We do not use Personal Data for AI/ML training, model development, model retraining, tuning, testing, validation, or improvement unless expressly agreed in writing with the applicable customer and permitted by applicable law. Any contractual opt-out from AI/ML training or improvement applies prospectively only and does not require us to delete, retrain, roll back, modify, or cease use of models, systems, features, automations, analytics, outputs, learnings, or derived outputs developed or improved before the effective date of the opt-out, except to the extent required by applicable law or expressly agreed in writing. 8. Data Retention We retain Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, meet legal, accounting, or reporting obligations, resolve disputes, enforce agreements, and protect our interests. Following expiration or termination of the applicable customer agreement, we will delete Customer Data within ninety (90) days after receiving the customer’s written deletion request, unless retention is required by applicable law or reasonably necessary for backup, archival, security, legal, compliance, or dispute-resolution purposes. We may retain and continue to use Usage Data and Derived Data after expiration or termination for lawful business purposes in accordance with the applicable customer agreement, this Privacy Policy, the DPA, and applicable law. Deletion of Customer Data does not require us to delete, retrain, roll back, modify, or cease use of models, systems, features, automations, analytics, outputs, learnings, Derived Data, Usage Data, model parameters, weights, or other outputs created or improved before deletion, except to the extent required by applicable law or expressly agreed in writing. 9. Security We use reasonable administrative, technical, and organizational safeguards designed to protect Personal Data. No method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security. 10. Your Privacy Rights Depending on where you reside, you may have rights regarding your Personal Data, such as the right to know, access, correct, delete, or appeal certain decisions regarding your Personal Data. If you are a California resident, you may have rights under California law, including rights to know, delete, correct, and limit certain uses of sensitive Personal Data, subject to applicable exceptions. To exercise applicable privacy rights, contact us at anatomy@lbfoster.com. We may need to verify your identity before processing a request. 11. Children’s Privacy The Service is not directed to children under 13, and we do not knowingly collect Personal Data from children under 13. 12. International Data Transfers If Personal Data is transferred to a country other than the country in which it was collected, we will take steps designed to ensure the transfer is subject to appropriate safeguards as required by applicable law. 13. Third-Party Websites and Services The Service may contain links to, or integrations with, third-party websites or services. We are not responsible for the privacy practices of third parties. 14. Supplemental US State Privacy Notice To the extent required by applicable US state privacy laws, the following disclosures apply: Categories Collected. We may collect identifiers, commercial information, Internet or network activity information, geolocation data in limited circumstances, professional or employment-related information, and other information described in this Privacy Policy. Business Purposes. We collect and use these categories for the purposes described in Sections 4 and 7, including service delivery, remote administration, security, logging, audit, analytics, derived data generation and use, authorized AI/ML development, communications, compliance, billing verification, and business operations. Retention. We retain each category of Personal Data for as long as reasonably necessary for the relevant disclosed purpose, unless a longer period is required or permitted by law. Sensitive Personal Data. We use sensitive Personal Data only as permitted by applicable law and only where relevant to providing and securing the Service or for other permitted business purposes. 15. Changes to This Privacy Policy We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and revise the Effective Date above. Where required by law, we will provide additional notice. 16. Contact Us If you have questions about this Privacy Policy or our privacy practices, contact us at: L.B. Foster Company 415 Holiday Dr 100 Pittsburgh, PA 15220 anatomy@lbfoster.com Data Processing Agreement Effective Date: [DATE] This Data Processing Agreement (the “DPA”) forms part of the Terms of Service, any applicable online clickwrap or website terms, any Master Service Agreement, or other written or electronic agreement between L.B. Foster Company (“Company”) and the customer party to such agreement (“Customer”) governing Customer’s use of the Service (the “Agreement”). This DPA applies to the extent Company processes Personal Data on behalf of Customer in connection with the Service. 1. Definitions 1.1 “Applicable Data Protection Law” means US federal and state privacy and data protection laws applicable to the processing of Personal Data under the Agreement. 1.2 “Customer Instructions” means the Agreement, this DPA, applicable Order Forms, Customer’s configuration of the Service, and Customer’s documented written directions regarding Company’s processing of Personal Data on Customer’s behalf. 1.3 “Permitted Business Purposes” means the purposes for which Company may process Personal Data under the Agreement and this DPA, including service delivery, security, support, audit, compliance, analytics, billing verification, and other business purposes expressly permitted by Applicable Data Protection Law and the Agreement. 1.4 “Personal Data” means personal data, personal information, personally identifiable information, or any similar term regulated under Applicable Data Protection Law and processed by Company on behalf of Customer in connection with the Service. 1.5 “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means. 1.6 “Security Incident” means a breach of security resulting in unauthorized or unlawful access, acquisition, destruction, use, modification, or disclosure of Personal Data processed by Company on behalf of Customer under this DPA. 1.7 “Subprocessor” means a third party authorized to process Personal Data on behalf of Company in connection with the Service. 1.8 Other Statutory Terms. “Controller,” “Processor,” “Business,” and “Service Provider” have the meanings given under Applicable Data Protection Law, as applicable. 2. Roles of the Parties 2.1 Customer and Company Roles. With respect to Personal Data processed under this DPA, Customer is the Controller or Business, as applicable, and Company is the Processor or Service Provider, as applicable. 2.2 Customer Data. Customer Data, as defined in the Agreement, generally means field IoT device, connected asset, endpoint, equipment, telemetry, configuration, diagnostic, performance, location where enabled, command history, and related operational data processed through the Service. Customer Data may include or constitute Personal Data depending on the nature of the data and the context in which it is processed. This DPA applies to Personal Data processed by Company on behalf of Customer in connection with the Service, regardless of whether such Personal Data is contained in Customer Data, Usage Data, Derived Data, operational records, support records, audit records, or other service-related data. A data element’s classification as Customer Data, Usage Data, Derived Data, or another data category under the Agreement does not limit Company’s obligations under this DPA, Applicable Data Protection Law, or applicable contractual terms governing Personal Data. 2.3 Independent Controller or Business Activities. Company may act as an independent controller or business for its own business operations, including billing, security, fraud prevention, legal compliance, service analytics, audit, product improvement, support, and similar internal purposes permitted by law. 2.4 AI/ML Processing. (a) Customer-Specific AI/ML Operation. To the extent the Service includes analytics, automation, anomaly detection, recommendations, alerts, classifications, predictions, or other AI/ML-enabled functionality, Company may process Personal Data as necessary to provide, operate, secure, maintain, support, and generate outputs from that functionality for Customer in accordance with the Agreement, Customer Instructions, this DPA, and Applicable Data Protection Law. Such processing is referred to in this DPA as “Customer-Specific AI/ML Operation.” (b) AI/ML Training and Improvement. For purposes of this DPA, “AI/ML Training and Improvement” means the development, training, retraining, tuning, testing, validation, or improvement of AI/ML models, systems, features, automations, analytics, or related functionality, other than Customer-Specific AI/ML Operation. (c) Personal Data Restriction. Company will not use Personal Data processed on behalf of Customer for AI/ML Training and Improvement unless expressly authorized in an Order Form, DPA schedule, administrative-console setting, or other written agreement between the parties and permitted by Applicable Data Protection Law. (d) Permitted Non-Personal and Opt-In Data. Company may use Aggregated Data, De-identified Data, Derived Data, Usage Data, and Customer Data for which Customer has provided any opt-in required by the Agreement for AI/ML Training and Improvement, provided that any Personal Data contained in such data remains subject to this DPA, Applicable Data Protection Law, and any applicable customer opt-in or opt-out right. (e) Customer Responsibilities. Customer is responsible for providing legally adequate notices, obtaining legally required consents or authorizations, identifying any required legal basis, and satisfying any other legal requirements applicable to Customer’s use of AI/ML-enabled Service functionality, including where Customer enables functionality that involves monitoring, profiling, automated recommendations, automated actions, or processing of employee, contractor, end-user, or third-party Personal Data. 3. Scope and Instructions 3.1 Processing Scope. Company will process Personal Data solely to provide the Service, perform its obligations under the Agreement, perform Permitted Business Purposes, comply with Customer Instructions, and as otherwise required or permitted by Applicable Data Protection Law. 3.2 Customer Instructions. Customer Instructions constitute Customer’s complete instructions to Company regarding the processing of Personal Data, unless otherwise agreed in writing. Customer instructs Company to process Personal Data as necessary for the purposes described in Section 3.1. 3.3 Lawfulness. Customer represents and warrants that it has provided all notices and obtained all rights, permissions, and consents necessary for Company to process Personal Data in accordance with the Agreement and this DPA. 4. Restrictions on Use of Personal Data To the extent required by Applicable Data Protection Law, Company will not: • sell or share Personal Data; • retain, use, or disclose Personal Data for any purpose other than the Permitted Business Purposes, Customer-Specific AI/ML Operation, compliance with Customer Instructions, or as otherwise permitted by Applicable Data Protection Law; • use Personal Data for AI/ML Training and Improvement unless expressly authorized in an Order Form, DPA schedule, administrative-console setting, or other written agreement between the parties and permitted by Applicable Data Protection Law; • disclose Personal Data or Customer Data to third-party model providers for AI/ML Training and Improvement unless otherwise expressly agreed in writing by Customer and permitted by Applicable Data Protection Law; • retain, use, or disclose Personal Data outside the direct business relationship between Company and Customer, except as otherwise permitted by Applicable Data Protection Law; or • combine Personal Data received from Customer with personal data received from another source, except as permitted by Applicable Data Protection Law. Company certifies that it understands and will comply with the restrictions set forth in this Section. 5. Personnel and Confidentiality Company will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations. 6. Security Taking into account the nature of the processing, Company will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized or unlawful access, acquisition, destruction, use, modification, or disclosure. 7. Subprocessors 7.1 Authorization. Customer authorizes Company to engage Subprocessors to process Personal Data on Company’s behalf in connection with the Service. 7.2 Obligations. Company will impose data protection obligations on each Subprocessor that are no less protective than the obligations applicable to Company under this DPA, as appropriate to the nature of the services provided. 7.3 Liability. Company remains responsible for its Subprocessors’ performance of their data protection obligations to the extent required by Applicable Data Protection Law and the Agreement. 8. Assistance to Customer Taking into account the nature of the processing and the information available to Company, Company will provide reasonable assistance to Customer, upon written request, to help Customer comply with applicable obligations relating to privacy rights requests, security incidents, data protection assessments, and regulator inquiries. Such assistance will be provided at Customer’s cost to the extent legally permitted and only to the extent Company is legally required to provide such assistance. 9. Security Incidents 9.1 Notice. Company will notify Customer without undue delay after confirming a Security Incident affecting Personal Data processed under this DPA. 9.2 Cooperation. Company will provide information reasonably available to Company regarding the nature of the Security Incident and steps taken or recommended to mitigate its effects. 9.3 No Admission. Notification of a Security Incident is not an admission of fault or liability. 10. Privacy Rights Requests If Company receives a request from an individual seeking to exercise privacy rights relating to Personal Data processed on behalf of Customer, Company will, to the extent legally permitted, notify Customer and direct the individual to submit the request to Customer. Company may assist Customer in responding to such request as described in Section 8. 11. Deletion and Return 11.1 Deletion or Return. Following expiration or termination of the Agreement, Company will delete or return Personal Data processed on behalf of Customer within ninety (90) days after receiving Customer’s written deletion or return request, unless retention is required by applicable law or reasonably necessary for backup, archival, security, legal, compliance, or dispute-resolution purposes. 11.2 Customer Data. If Customer Data contains Personal Data processed on behalf of Customer, such Personal Data will be handled in accordance with Section 11.1. 11.3 Usage Data and Derived Data. Company may retain and continue to use Usage Data and Derived Data after expiration or termination for lawful business purposes in accordance with the Agreement, the Privacy Policy, this DPA, and applicable law, provided that any Personal Data contained in such Usage Data or Derived Data continues to be processed in accordance with applicable law, the Privacy Policy, and this DPA. 11.4 Model and Output Carveout. Deletion of Customer Data or Personal Data will not require Company to delete, retrain, roll back, modify, or cease use of models, systems, features, automations, analytics, outputs, learnings, Derived Data, Usage Data, model parameters, weights, or other outputs created or improved before deletion, except to the extent required by applicable law or expressly agreed in writing. 12. Audit Rights To the extent required by Applicable Data Protection Law, Company will make available to Customer information reasonably necessary to demonstrate Company’s compliance with this DPA. If such information is insufficient under Applicable Data Protection Law, Customer may request, no more than once annually and upon reasonable prior written notice, an audit or inspection of Company’s relevant policies, procedures, and records, subject to reasonable confidentiality, security, and scope limitations, and only to the extent required by Applicable Data Protection Law. 13. Cross-Border Data Transfers If the parties transfer Personal Data across borders and Applicable Data Protection Law requires additional safeguards, the parties will implement appropriate safeguards as required by Applicable Data Protection Law. EU/UK transfers are governed by Section 15.11 and Annex 4 to the extent applicable. 14. Termination and Conflict This DPA will remain in effect for as long as Company processes Personal Data on behalf of Customer under the Agreement. If there is a conflict between this DPA and the Agreement with respect to processing of Personal Data, this DPA will control to the extent of the conflict. If both online clickwrap terms and an MSA could apply to the relationship, the MSA will govern over the online terms to the extent of any inconsistency, and this DPA will be read consistently with that order of precedence. 15. EU/UK Data Protection Addendum 15.1 Application. This Section 15 applies to the extent Company processes Personal Data on behalf of Customer that is subject to the GDPR, UK GDPR, the UK Data Protection Act 2018, EU Member State data protection laws, or other applicable European Economic Area, Swiss, or United Kingdom data protection laws (collectively, “EU/UK Data Protection Laws”). 15.2 EU/UK Definitions. For purposes of this Section 15, “controller,” “processor,” “personal data,” “personal data breach,” “processing,” “data subject,” “supervisory authority,” “special categories of personal data,” and “subprocessor” have the meanings given under EU/UK Data Protection Laws. “GDPR” means Regulation (EU) 2016/679. “UK GDPR” means the GDPR as incorporated into United Kingdom law. “EEA” means the European Economic Area. “SCCs” means the then-current standard contractual clauses approved by the European Commission for restricted transfers of personal data. “UK Transfer Addendum” means the then-current international data transfer addendum approved by the UK Information Commissioner’s Office for use with the SCCs, or any successor UK transfer mechanism. 15.3 Article 28 Processor Obligations. For EU/UK Personal Data, Customer is the controller and Company is the processor unless the parties expressly agree otherwise in writing. Company will process EU/UK Personal Data only on Customer’s documented instructions, including with respect to international transfers, unless Company is required to do so by applicable law. Customer Instructions constitute Customer’s documented instructions. Company will promptly notify Customer if Company believes an instruction violates EU/UK Data Protection Laws, unless prohibited by law. If Company is required by law to process EU/UK Personal Data other than on Customer’s instructions, Company will inform Customer of that legal requirement before processing unless prohibited by law on important grounds of public interest. 15.4 Security Measures. Company will implement and maintain appropriate technical and organizational measures designed to protect EU/UK Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Such measures are further described in Annex 2. 15.5 Subprocessors. Customer provides a general authorization for Company to engage subprocessors to process EU/UK Personal Data in connection with the Service. Company will maintain a current list of subprocessors and will provide notice of new subprocessors as required by EU/UK Data Protection Laws or the Agreement. Customer may object to a new subprocessor on reasonable data protection grounds within the notice period specified by Company. Company will impose data protection obligations on each subprocessor that are no less protective in substance than those imposed on Company under this DPA, as applicable to the subprocessor’s processing activities. Company remains responsible for each subprocessor’s performance of its data protection obligations to the extent required by EU/UK Data Protection Laws. 15.6 Data Subject Rights Assistance. Taking into account the nature of the processing, Company will provide reasonable assistance to Customer, by appropriate technical and organizational measures where feasible, to help Customer respond to requests from data subjects exercising rights under EU/UK Data Protection Laws. If Company receives a data subject request relating to EU/UK Personal Data processed on Customer’s behalf, Company will, to the extent legally permitted, notify Customer and will not respond substantively except on Customer’s documented instructions or as required by law. 15.7 Personal Data Breach Notice. Company will notify Customer without undue delay after becoming aware of a personal data breach affecting EU/UK Personal Data processed by Company on behalf of Customer. Company will provide information reasonably available to Company regarding the nature of the breach, affected data, likely consequences, and measures taken or proposed to address or mitigate the breach. Company will reasonably cooperate with Customer to support Customer’s assessment of any notification obligations under EU/UK Data Protection Laws. Company’s notice of or response to a breach is not an admission of fault or liability. 15.8 DPIA and Supervisory Authority Assistance. Taking into account the nature of the processing and the information available to Company, Company will provide reasonable assistance to Customer, at Customer’s cost unless otherwise required by law, with data protection impact assessments, prior consultations with supervisory authorities, and regulatory inquiries relating to Company’s processing of EU/UK Personal Data on Customer’s behalf. 15.9 Deletion and Return. At the end of the provision of the Service, Company will, at Customer’s choice and subject to the Agreement, delete or return EU/UK Personal Data processed on Customer’s behalf and delete existing copies, unless applicable law requires storage. Company may retain EU/UK Personal Data in backup or archival systems until overwritten in accordance with ordinary retention cycles, provided such data remains protected and is not actively processed except as required for backup, archival, security, legal, compliance, or disaster-recovery purposes. The Usage Data and Derived Data carveouts in this DPA apply to EU/UK Personal Data only to the extent such data no longer contains Personal Data or continued processing is otherwise lawful under EU/UK Data Protection Laws, the Agreement, and this DPA. 15.10 Audits and Records. Company will make available information reasonably necessary to demonstrate compliance with this Section 15 and will allow for and contribute to audits, including inspections, as required by EU/UK Data Protection Laws. Customer must first request available certifications, audit summaries, security documentation, or questionnaire responses before requesting an onsite or invasive audit. Any audit must be conducted on reasonable prior notice, during normal business hours, subject to confidentiality and security controls, without access to other customers’ data, and in a manner that does not unreasonably interfere with Company’s operations. Unless required by law or following a confirmed personal data breach, audits may not occur more than once annually. 15.11 International Transfers. To the extent Company transfers EU/UK Personal Data to a country or recipient not subject to an adequacy decision or other valid transfer mechanism, the parties will rely on an applicable lawful transfer mechanism as described in Annex 4. Company will provide reasonable cooperation for transfer impact assessments and will use commercially reasonable efforts to notify Customer of legally binding government access requests for EU/UK Personal Data unless prohibited by law. 15.12 Special Categories and Sensitive Data. Customer will not submit to the Service any special categories of personal data, criminal-offense data, or other Sensitive Data subject to heightened protection under EU/UK Data Protection Laws unless expressly authorized in an Order Form, DPA schedule, or other written agreement. If such data is authorized, Customer is responsible for identifying and satisfying any applicable lawful basis, Article 9 condition, Article 10 requirement, transparency obligation, and data minimization requirement. Company may reject, restrict, or delete unauthorized special categories of personal data, criminal-offense data, or Sensitive Data to the extent permitted by law and the Agreement. 15.13 AI/ML Restrictions for EU/UK Personal Data. Company will not use EU/UK Personal Data for AI/ML training, model development, model retraining, tuning, testing, validation, or improvement unless expressly authorized in an Order Form, DPA schedule, administrative console setting, or other written agreement and permitted by EU/UK Data Protection Laws. Customer is responsible for providing legally adequate notices, identifying an appropriate lawful basis, and satisfying any additional requirements applicable to profiling, automated decision-making, or similar processing. Company will not use EU/UK Personal Data for automated decision-making that produces legal or similarly significant effects concerning an individual unless expressly agreed in writing and permitted by EU/UK Data Protection Laws. Annex 1: Description of Processing Processing Detail Description Subject Matter Provision of Anatomy, also referred to as L.B. Foster’s Anatomy Asset Management System or Anatomy Asset Intelligence. Duration For the term of the Agreement and any post-termination retention period permitted by the Agreement and applicable law. Nature of Processing Hosting, storage, transmission, analysis, monitoring, remote administration, remote control, configuration management, remediation, patching, restart, shutdown, lock, wipe, settings changes, support, security, logging, Customer-Specific AI/ML Operation, generation of Customer-specific analytics, alerts, recommendations, classifications, predictions, automations, outputs, and Derived Data, and related processing necessary to provide, secure, support, and maintain the Service. AI/ML Training and Improvement involving Personal Data processed on behalf of Customer will occur only if expressly authorized in an Order Form, DPA schedule, administrative-console setting, or other written agreement between the parties and permitted by Applicable Data Protection Law. Purpose of Processing To provide, operate, secure, support, maintain, and improve the Service; perform Customer-Specific AI/ML Operation; comply with Customer Instructions; perform the Permitted Business Purposes set forth in the Agreement and this DPA; and, only where expressly authorized and legally permitted, conduct AI/ML Training and Improvement involving Personal Data processed on behalf of Customer. Categories of Data Subjects Customer personnel, end users, contractors, vendors, device users, and other individuals whose Personal Data is processed in connection with the Service. Categories of Personal Data Identifiers, contact information, account information, device and asset information, network information, usage data, support communications, and other Personal Data processed in connection with the Service. Special Categories of Personal Data None, unless expressly authorized in an Order Form, DPA schedule, or other written agreement. Transfers Transfers may occur as necessary to provide the Service and as described in the Agreement, this DPA, and Annex 4. Subprocessors Company’s authorized subprocessors as described in Section 7 and Section 15.5. Annex 2: Technical and Organizational Measures Company will maintain technical and organizational measures appropriate to the nature of the Service and the processing, which may include, as applicable: • access controls and authentication controls; • encryption in transit and at rest; • logging and monitoring; • vulnerability management; • backup and recovery measures; • incident response procedures; • personnel security and confidentiality obligations; • availability and resilience measures; and • periodic testing, assessment, and evaluation of security controls. Annex 3: Subprocessors Company may engage subprocessors as permitted under this DPA. Company will maintain or make available a current list of subprocessors for the Service as required by applicable law or the Agreement. Annex 4: International Transfer Terms For EEA transfers, the SCCs are incorporated by reference and apply as required by EU/UK Data Protection Laws. For UK transfers, the UK Transfer Addendum or other applicable UK transfer mechanism is incorporated by reference and applies as required by UK GDPR. The parties will complete and interpret the SCCs, UK Transfer Addendum, and any related annexes consistently with the processing details, security measures, and subprocessor terms in this DPA.